ARCHIVED from builddistributedsystem.com on 2026-04-28 — URL: https://builddistributedsystem.com/tracks/securitor/tasks/task-24-2-4-key-management
TASK

Implementation

Managing cryptographic keys is as important as the encryption itself. A KMS (Key Management System) generates data keys, wraps them with a master key (envelope encryption), and handles rotation so old data remains decryptable while new data uses fresh keys.

Implement a node that acts as a simple KMS:

// Generate a random AES-256 data key
{ "type": "generate_data_key", "msg_id": 1,
  "key_id": "data-key-1", "key_spec": "AES_256" }
-> { "type": "data_key_generated", "in_reply_to": 1,
    "key_id": "data-key-1",
    "plaintext_key": "<use once, then discard>",
    "encrypted_key": "<store this alongside the ciphertext>" }

// Envelope encryption: encrypt data with data key, encrypt data key with master key
{ "type": "envelope_encrypt", "msg_id": 2,
  "plaintext": "Secret data", "data_key": "DATA_KEY" }
-> { "type": "envelope_encrypted", "in_reply_to": 2,
    "encrypted_data_key": "<master-key-wrapped data key>",
    "ciphertext": "<base64>" }

// Rotate key to a new version (retain old for decryption)
{ "type": "rotate_key", "msg_id": 3,
  "key_id": "data-key-1", "new_version": 2 }
-> { "type": "key_rotated", "in_reply_to": 3,
    "old_version": 1, "new_version": 2,
    "previous_key_stored": true }

Sample Test Cases

Generate data key with KMSTimeout: 5000ms
Input
{
  "src": "app",
  "dest": "kms",
  "body": {
    "type": "generate_data_key",
    "msg_id": 1,
    "key_id": "data-key-1",
    "key_spec": "AES_256"
  }
}
Expected Output
{"type": "data_key_generated", "in_reply_to": 1, "key_id": "data-key-1", "plaintext_key": ".*", "encrypted_key": ".*"}
Envelope encryptionTimeout: 5000ms
Input
{
  "src": "app",
  "dest": "crypto",
  "body": {
    "type": "envelope_encrypt",
    "msg_id": 1,
    "plaintext": "Secret data",
    "data_key": "DATA_KEY"
  }
}
Expected Output
{"type": "envelope_encrypted", "in_reply_to": 1, "encrypted_data_key": ".*", "ciphertext": "[A-Za-z0-9+/=]+"}

Hints

Hint 1
Generate a random AES data key; return both the plaintext version (use it once) and the encrypted version (store it)
Hint 2
Envelope encryption: encrypt data with the data key, encrypt the data key with the master key
Hint 3
Key rotation: create a new version of the key; keep the old version so old data can still be decrypted
Hint 4
previous_key_stored=true confirms the old key is retained after rotation
Hint 5
Escrow backup requires multiple approvals and returns an encrypted backup_id

Resources

AWS KMS Concepts
Key management concepts: data keys, master keys, and envelope encryption
NIST Key Management
NIST Key Management Guidelines (SP 800-57)
OVERVIEW

Theoretical Hub

Concept overview coming soon

Key Concepts

KMSenvelope encryptionkey rotationdata keymaster keyescrow
main.py
python
Implement Secure Key Management - The Securitor | Build Distributed Systems